The Impact of the EU DORA Act on Non-EU Financial Organizations

The EU Digital Operational Resilience Act (DORA) is a significant regulatory framework designed to strengthen the digital resilience of financial institutions within the European Union.

While the primary focus of DORA is on EU-based entities, its impact extends beyond the EU's borders, particularly to financial organizations outside the EU that have business ties with the region.

Here’s how DORA impacts financial organizations outside the EU.

1. Third-Party Service Providers

• Scope of Regulation. DORA covers not just financial entities within the EU but also third-party service providers, including Cloud services, software providers, and IT services. If these providers serve EU financial institutions, they must comply with DORA’s requirements, even if they are based outside the EU.
• Increased Compliance Costs. Non-EU service providers might need to invest in compliance infrastructure to meet DORA standards, which include stringent cybersecurity measures, operational resilience requirements, and incident reporting protocols.
• Operational Changes. These providers may need to adapt their operations to comply with DORA’s requirements, potentially impacting service delivery, pricing, and contractual arrangements with their EU clients.

2. Cross-Border Operations

• EU Subsidiaries. Non-EU financial organizations with subsidiaries or branches in the EU must ensure that these entities comply with DORA. This might require significant changes in internal processes, governance structures, and IT systems.
• Data Protection and Transfer. DORA's focus on operational resilience and cybersecurity intersects with data protection regulations. Non-EU organizations must ensure that data transfers and processing are compliant with EU standards, which could involve changes in data management practices.

3. Competitive Pressure

• Market Access. To maintain or gain access to the EU market, non-EU financial organizations must align with DORA’s requirements. Failure to comply might restrict their ability to operate within the EU or provide services to EU-based clients.
• Reputation and Trust. Organizations that proactively comply with DORA may gain a competitive edge by being seen as trustworthy and secure partners. Conversely, those that lag may face reputational risks, especially in a market increasingly focused on cybersecurity and operational resilience.

4. Indirect Impact Through Business Relationships

• Supply Chain Scrutiny. DORA requires EU financial entities to ensure that their supply chain, including non-EU entities, adheres to operational resilience standards. Non-EU organizations in these supply chains may face increased scrutiny and pressure to comply with DORA, indirectly impacting their operations and costs.
• Contractual Obligations. Financial institutions in the EU may impose new contractual obligations on non-EU partners to ensure DORA compliance. This could lead to renegotiation of contracts and increased legal and operational overheads for non-EU entities.

5. Global Regulatory Influence

• Precedent for Other Jurisdictions. DORA could set a precedent, encouraging other jurisdictions to adopt similar regulatory frameworks. Non-EU financial organizations may find themselves needing to adapt to a broader wave of operational resilience regulations globally, beyond just the EU.

6. Impact on Financial Services Market

• Barrier to Entry. DORA’s stringent requirements might act as a barrier to entry for smaller or less-resourced non-EU financial firms seeking to enter the EU market, potentially limiting competition.
• Innovation and Fintech. While aiming to enhance security, DORA may also slow down innovation, as non-EU fintech firms might find the compliance burden heavy, possibly leading to a more cautious approach in launching new products or services in the EU.

Summary

The EU DORA Act significantly impacts financial organizations outside the EU, especially those providing services to or operating within the EU.

These entities must align with DORA's requirements to maintain market access and relationships with EU clients, leading to increased compliance costs, operational adjustments, and potential strategic shifts.

The act also exerts indirect pressure on non-EU organizations through their inclusion in the supply chain of EU financial institutions.

As a result, DORA is not just a regional EU regulation but one with far-reaching implications for the global financial services market.

• EU DORA Act
• Java Core
• Performance
• Security

Geertjan Wielenga

Author

Geertjan is Senior Director of Open Source Projects at Azul and holds an LL.M in European Union Law from the University of Amsterdam.

Simon Ritter

Author

Simon is Deputy CTO at Azul.